Privacy Policy

How we collect, use, and protect your personal information

1. Introduction & Scope

Pinecreek Restaurant & Farmstall ("Pinecreek", "we", "us", or "our"), located at R102 Old Gonubie Road, Holm Hill, Beacon Bay, East London, 5201, Eastern Cape, South Africa, is committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA").

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our website (pinecreek.co.za), WiFi captive portal (portal.pinecreek.co.za), QR table ordering system (orders.pinecreek.co.za), kiddies party booking system, loyalty programme, and all related digital services (collectively, "the Services").

This Privacy Policy should be read together with our Terms & Conditions, which govern your use of our Services.

Effective date: 1 March 2026

2. Responsible Party & Information Officer

In terms of POPIA, the responsible party for the processing of your personal information is:

Pinecreek Restaurant & Farmstall

R102 Old Gonubie Road, Holm Hill, Beacon Bay

East London, 5201

Eastern Cape, South Africa

Our designated Information Officer is:

The Manager

Pinecreek Restaurant & Farmstall

Phone: 043 732 1101

Email: info@pinecreek.co.za

The Information Officer is the designated point of contact for all POPIA-related requests, including requests to access, correct, or delete your personal information.

3. Personal Information We Collect

We collect different types of personal information depending on how you interact with our Services:

3.1 Website & WiFi Portal Registration

  • Email address (used as your unique account identifier, stored in lowercase)
  • Phone number
  • First and last name
  • Password (stored as a secure cryptographic hash — we never store your password in plaintext)
  • Account creation date and last login timestamp

3.2 WiFi Captive Portal Sessions

  • Device MAC address (normalised to uppercase for consistent identification)
  • IP address assigned to your device
  • Session authorisation and expiry timestamps (sessions last 24 hours)
  • Your email address is stored in our network equipment binding records to associate sessions with accounts

3.3 QR Table Ordering

  • Customer name (optional, provided at checkout)
  • Customer phone number (optional, provided at checkout)
  • Customer email address (optional, provided at checkout for receipts)
  • Order details: items selected, quantities, options chosen, special instructions, and order notes
  • Table identifier (UUID from QR code)
  • Payment method selected (pay at till or online)
  • Order timestamps
  • Geolocation coordinates (latitude and longitude) — only if you grant location access on your device. Sent to our ordering platform as part of the order for fraud prevention.

3.4 Kiddies Party Bookings

  • Birthday child's name and age
  • Organiser's name, email address, phone number, and optional secondary phone number
  • Physical address (optional)
  • Party details: selected venue, package, date, time slot, and guest counts (children and adults)
  • Additional information and special requests
  • Payment and deposit details (processed via payment gateway — see Section 7)

3.5 Contact Form Submissions

  • Name
  • Email address
  • Phone number (optional)
  • Subject category (general enquiry, reservation, event, feedback, or other)
  • Message content
  • Submission timestamp

3.6 Password Reset (OTP Verification)

  • Email address used to initiate the request
  • One-time password (OTP) — stored as a secure cryptographic hash, not in plaintext
  • Delivery method chosen (WhatsApp or email)
  • Number of verification attempts (maximum 3 allowed)
  • Timestamps for creation and expiry (OTPs expire after 10 minutes)

3.7 Loyalty Programme

If you participate in our loyalty programme (powered by PosiTack), the following information may be collected and processed:

  • Loyalty member number and membership status
  • Points balance and transaction history
  • Lifetime spend at our venue
  • Enrolment date

3.8 Age Verification

When you order alcoholic beverages, we require you to confirm that you are 18 years of age or older. Your age confirmation (a simple yes/no) is stored only in your browser's session storage for the duration of your ordering session. It is not transmitted to or stored on our servers.

4. How We Collect Information

We collect personal information through the following methods:

  • Directly from you — When you complete registration forms, contact forms, the ordering checkout, party booking forms, or password reset requests.
  • Automatically from your device — Your device MAC address and IP address are captured automatically during WiFi authentication. Login timestamps are recorded when you access your account.
  • From your browser's storage — We use localStorage and sessionStorage to maintain authentication state, cart contents, and session preferences (see Section 8 for details).
  • With your explicit permission — Geolocation coordinates are collected only when you grant location access on your device.
  • Through integrated platforms — PosiTack processes your order, loyalty, and party booking data on our behalf as part of delivering our Services.

5. Purpose of Processing

We process your personal information for the following specific purposes:

  • Creating and managing your website and WiFi portal account
  • Authenticating your identity and managing WiFi access sessions (MAC address binding)
  • Processing and fulfilling your QR table orders, including communicating your order to our kitchen
  • Processing and managing kiddies party bookings, including venue and time-slot allocation
  • Operating the loyalty programme (points accrual, reward redemption, membership management)
  • Processing payments through third-party payment gateways (PayFast, Ozow)
  • Delivering one-time passwords (OTPs) via WhatsApp or email for password resets
  • Responding to your contact form submissions and enquiries
  • Sending order confirmations and email receipts when you provide your email at checkout
  • Verifying your physical presence at our venue via geolocation (fraud prevention for QR orders)
  • Verifying your age for the purchase of alcoholic beverages (legal compliance)
  • Network management, security monitoring, and access control for our WiFi service
  • Improving our Services and website experience
  • Complying with legal obligations, including the Liquor Act 59 of 2003, the Consumer Protection Act 68 of 2008, and POPIA

6. Legal Basis for Processing

Under POPIA, we process your personal information on the following lawful grounds:

Consent (POPIA s11(1)(a))

When you voluntarily register for an account, submit a contact form, confirm your age for alcohol purchases, grant geolocation access, or make a party booking, you provide your consent for us to process the information you supply.

Contractual Necessity (POPIA s11(1)(b))

Processing your order details and payment information is necessary to fulfil your QR table orders. Managing your WiFi sessions and account credentials is necessary to provide the services you have requested.

Legal Obligation (POPIA s11(1)(c))

Age verification for alcohol purchases is required by the Liquor Act 59 of 2003. We are legally obligated to take reasonable steps to prevent the sale of alcohol to persons under 18.

Legitimate Interest (POPIA s11(1)(f))

Network security monitoring, fraud prevention (including geolocation verification), rate limiting to prevent abuse of our systems, and improving our Services are pursued under our legitimate interest, balanced against your rights and freedoms.

7. Third-Party Service Providers

We work with the following third-party service providers to deliver our Services. Each provider receives only the data necessary for their specific function:

PosiTack

Our ordering, loyalty, and party booking platform. PosiTack operates on the same server infrastructure as Pinecreek and processes your order details, contact information, loyalty data, party booking details, and geolocation coordinates (when included with orders).

When you register, log in, or reset your password on Pinecreek, your account credentials (stored as a secure cryptographic hash — never your plaintext password) are synchronised with the PosiTack platform. This enables seamless auto-linking of your account for ordering and loyalty features.

PayFast (Pty) Ltd

Processes credit and debit card payments for online orders and party booking deposits. When you pay online, you are redirected to PayFast's secure platform. Pinecreek does not store, process, or have access to your full card details. All payment data is handled directly by PayFast in accordance with their security standards and privacy policy.

Ozow (Pty) Ltd

Processes instant EFT / bank transfer payments. Your banking session is handled directly by Ozow on their secure platform. Pinecreek does not store or access your banking credentials.

Meta Platforms (WhatsApp Business API)

Used to deliver one-time passwords (OTPs) for password resets. Your phone number (normalised to South African country code +27) and the OTP code are shared with Meta solely for the purpose of delivering the verification message.

Email Service (SMTP)

We use an SMTP email service to send OTP emails for password resets, contact form confirmation emails, staff notification emails, and order receipts. Your email address and the relevant email content are transmitted through this service.

MikroTik (Local Network Hardware)

Our WiFi network management system operates on-premises. Your device MAC address, IP address, and email address are stored in binding records on our network equipment to manage WiFi access. This data is processed locally and is not transmitted to any external server.

We do not sell, rent, or trade your personal information to any third party for marketing purposes.

8. Data Storage on Your Device

Our Services use your browser's local storage and session storage to provide essential functionality. We also use analytics and marketing cookies when you consent to them. For a complete list of all cookies and storage items, including analytics (Google Analytics) and marketing (Meta Pixel) cookies, please see our Cookie Policy. The essential items stored on your device are:

localStorage (persists until cleared)

  • Authentication tokens — JWT access token (expires after 1 hour) and refresh token (expires after 30 days, rotated on each use) to keep you logged in.
  • PosiTack tokens — Authentication token and expiry timestamp for the ordering and loyalty platform, plus a cached copy of your PosiTack customer profile.
  • Cart data — Your QR order cart contents, including table information, selected items, options, quantities, and notes. Automatically expires after 2 hours of inactivity.

sessionStorage (cleared when you close the browser tab)

  • Age verification confirmation — Records that you have confirmed your age for the current ordering session, so you are not prompted repeatedly.
  • Welcome guide state — Records whether you have dismissed the QR ordering welcome guide during the current session.

You may clear all stored data at any time by clearing your browser's site data for pinecreek.co.za and orders.pinecreek.co.za. Doing so will log you out of your account, clear your cart, and require re-verification for age-restricted orders.

9. Data Retention Periods

We retain your personal information for the following periods:

  • User accounts — Retained for as long as your account is active. You may request account deletion at any time by contacting our Information Officer.
  • WiFi session records — MikroTik network bindings expire and are removed after 24 hours. Session records in our database are retained indefinitely for your session history.
  • OTP verification codes — Expire after 10 minutes and are deleted from our database after successful verification.
  • Contact form submissions — Retained indefinitely as business records.
  • JWT access tokens — Expire after 1 hour. Refresh tokens expire after 30 days and are blacklisted after rotation.
  • Cart data — Expires after 2 hours in your browser's localStorage.
  • Age verification status — Cleared when you close your browser tab (sessionStorage).
  • Application logs — Email addresses are masked in log files. Log retention is managed by server configuration.
  • PosiTack data (orders, loyalty, party bookings) — Retained by PosiTack in accordance with their data retention policies.
  • MikroTik network bindings — Expire after 24 hours on hardware. Session records are retained indefinitely in our database.

When you request account deletion, we will delete or anonymise your personal information within 30 days, except where we are required to retain certain data by law or for legitimate business purposes (e.g., transaction records for tax compliance).

10. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction:

  • All passwords are stored as secure cryptographic hashes using industry-standard algorithms (PBKDF2 with SHA-256). We never store passwords in plaintext.
  • All communication between your browser and our servers is encrypted via HTTPS/TLS. HTTP Strict Transport Security (HSTS) is enabled.
  • Rate limiting is applied to authentication endpoints (registration, login, password reset) to prevent brute-force attacks and abuse.
  • JWT refresh tokens are rotated on each use and blacklisted after rotation to prevent token replay attacks.
  • OTP verification is limited to 3 attempts per code, with a 1-minute cooldown between new OTP requests.
  • Email addresses are masked in application log files to prevent incidental exposure.
  • Cross-Site Request Forgery (CSRF) protection is enabled on all state-changing operations.
  • Security headers are configured, including X-Content-Type-Options, X-Frame-Options, and Referrer-Policy.
  • Expired WiFi sessions are automatically cleaned up by scheduled maintenance tasks.
  • Database access is restricted and connections are managed through controlled configurations.

11. Your Rights Under POPIA

Under the Protection of Personal Information Act 4 of 2013 (POPIA), you have the following rights:

  • Right of access (s23) — You may request confirmation of whether we hold your personal information and request access to that information.
  • Right to correction (s24) — You may request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
  • Right to deletion (s24) — You may request deletion of your personal information, subject to any legal retention requirements.
  • Right to object (s11(3)) — You may object to the processing of your personal information on reasonable grounds relating to your particular situation.
  • Right to withdraw consent — You may withdraw your consent to the processing of your personal information at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
  • Right not to be subject to automated decision-making (s71) — See Section 12 below.
  • Right to lodge a complaint — You may lodge a complaint with the Information Regulator of South Africa if you believe your rights have been infringed.

Response Timeframe

We will acknowledge receipt of your request within 5 business days and provide a substantive response within 30 days, as required by POPIA. We may need to verify your identity before processing your request to protect your personal information from unauthorised access.

12. Automated Decision-Making

In terms of POPIA section 71, we disclose the following about automated decision-making in our Services:

  • We do not engage in automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.
  • Rate limiting is applied to prevent abuse of our systems. This is a security measure and does not constitute profiling. If you are temporarily blocked, you may wait for the rate limit to reset or contact us.
  • Geolocation verification checks your physical location against our venue coordinates. This is a fraud prevention measure. If your location cannot be verified, you may still place your order by speaking to a staff member.
  • Loyalty points are calculated based on your transaction history according to transparent programme rules. Point accrual is not based on profiling or automated individual assessment.

13. Data Breach Notification

In accordance with POPIA section 22, in the event of a security compromise that results in the unauthorised access to or acquisition of your personal information:

  • We will notify the Information Regulator of South Africa as soon as reasonably possible after becoming aware of the breach.
  • We will notify all affected data subjects as soon as reasonably possible, providing details of the breach, the personal information involved, and the steps we are taking to address it.
  • We will provide recommendations on steps you can take to protect yourself, such as changing your password.
  • We will take immediate steps to contain the breach, investigate the cause, and implement measures to prevent recurrence.

14. Children's Information

  • Kiddies party bookings collect the birthday child's name and age. This information is provided by the parent or legal guardian who makes the booking, not by the child directly.
  • We do not knowingly collect personal information directly from children under the age of 18 without the consent of a parent or legal guardian.
  • The QR ordering system, website registration, and WiFi portal are intended for use by persons aged 18 and older, or by younger persons under the supervision of a parent or guardian.
  • Age verification for alcohol purchases is a legal requirement that applies to all users. Persons under 18 may not purchase or order alcoholic beverages.
  • If we become aware that we have inadvertently collected personal information from a child without appropriate parental consent, we will take steps to delete that information promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or business practices. Changes will be effective immediately upon posting to this page, and the "Effective date" at the top will be updated accordingly.

For material changes that significantly affect how we process your personal information, we will make reasonable efforts to provide prominent notice on our website.

Your continued use of our Services after any changes to this Privacy Policy constitutes your acceptance of the updated policy. We recommend reviewing this page periodically. Previous versions of this policy are available upon request.

16. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights under POPIA, or have a complaint about how your personal information has been handled, please contact our Information Officer:

The Manager (Information Officer)

Pinecreek Restaurant & Farmstall

R102 Old Gonubie Road, Holm Hill, Beacon Bay

East London, 5201

Eastern Cape, South Africa

Phone: 043 732 1101

Email: info@pinecreek.co.za

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa:

The Information Regulator (South Africa)

Email: enquiries@inforegulator.org.za

Website: inforegulator.org.za

For terms governing the use of our Services, please refer to our Terms & Conditions.